Replace Crypto.Random with os.urandom

RHEL/CentOS 6 installations ship python-crypto 2.0, which does not include Crypto.Random. However, os.urandom is guaranteed to be cryptographically secure on GNU/Linux, BSD, and Windows. So, there is nothing gained my using Crypto.Random when os.urandom exists, and does not compromise security. Now older operating systems can be fully supporting without yak shaving.
atoponce · Jan 1, 2015 · bf3bb43 · bf3bb43
1 parent 479ced9
commit bf3bb43
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/note.py b/note.py
@@ -2,7 +2,6 @@
 import base64
 import os
 import zlib
-from Crypto import Random
 from Crypto.Cipher import AES
 from Crypto.Hash import HMAC, SHA512
 from Crypto.Protocol import KDF
@@ -55,7 +54,7 @@ def create_url(self):
             - 256-bits for AES-256 key
             - 512-bits for HMAC-SHA512 key"""
 
-        self.nonce = Random.new().read(16)
+        self.nonce = os.urandom(16)
         self.f_key = KDF.PBKDF2(
             self.nonce, dconfig.nonce_salt.decode("hex"), 16)
         self.aes_key = KDF.PBKDF2(
@@ -108,14 +107,13 @@ def secure_remove(self):
         assumptions about the underlying filesystem, whether it's journaled,
         copy-on-write, or whatever."""
 
-        rand = Random.new()
         for kind in (None, 'key', 'dkey'):
             if not os.path.exists(self.path(kind)):
                 continue
             with open(self.path(kind), "r+") as note:
                 for char in xrange(os.stat(note.name).st_size):
                     note.seek(char)
-                    note.write(str(rand.read(1)))
+                    note.write(str(os.urandom(1)))
             os.remove(self.path(kind))
 
     def encrypt(self):
@@ -127,7 +125,7 @@ def encrypt(self):
 
         plain = zlib.compress(self.plaintext.encode('utf-8'))
         with open(self.path(), 'w') as note:
-            init_value = Random.new().read(12) # 96-bits
+            init_value = os.urandom(12)
             ctr = Counter.new(128,
                               initial_value=long(init_value.encode('hex'), 16))
             aes = AES.new(self.aes_key, AES.MODE_CTR, counter=ctr)

diff --git a/setup.py b/setup.py
@@ -1,17 +1,16 @@
 #!/usr/bin/python
 
 import os
-from Crypto import Random
 
 DCONFIG = os.path.dirname(os.path.realpath(__file__)) + "/dconfig.py"
 DATA_DIR = os.path.dirname(os.path.realpath(__file__)) + "/data"
 
 if not os.path.exists(DCONFIG):
     with open(DCONFIG, 'w') as f:
-        f.write('aes_salt = "%s"\n' % Random.new().read(16).encode('hex'))
-        f.write('mac_salt = "%s"\n' % Random.new().read(16).encode('hex'))
-        f.write('nonce_salt = "%s"\n' % Random.new().read(16).encode('hex'))
-        f.write('duress_salt = "%s"\n' % Random.new().read(16).encode('hex'))
+        f.write('aes_salt = "%s"\n' % os.urandom(16).encode('hex'))
+        f.write('mac_salt = "%s"\n' % os.urandom(16).encode('hex'))
+        f.write('nonce_salt = "%s"\n' % os.urandom(16).encode('hex'))
+        f.write('duress_salt = "%s"\n' % os.urandom(16).encode('hex'))
     os.chmod(DCONFIG, 0440)
 
 if not os.path.exists(DATA_DIR):